DataHub v11 uses OpenSSL 3.3, a change from previous versions that use OpenSSL 1.1. OpenSSL 3 requires certificates to have stronger keys than in previous versions, so when DataHub v11 is acting as an SSL client it will reject connections to servers using weak certificates.

This is a breaking change. If you are using tunnelling, MQTT or web server functions in a DataHub application, you may need to re-generate the certificates for any DataHub installation being upgraded to v11 from an earlier version. If you intend to connect DataHub v11 to older versions, you may also need to upgrade the SSL certificates on the older versions.

The sample certificate, datahub.pem, that is installed with the DataHub installation has been changed in v11 to use a stronger key. This certificate is not valid - it is self-signed, possibly expired and issued to an invalid DNS name. If you are running older versions of DataHub software with the sample certificate, you can copy datahub.pem from a v11 installation to an earlier DataHub installation to re-establish the connection.

If you have generated your own server certificates then you may not be affected by this change. Most certificate generators default to an acceptable key length and hashing algorithm. If your generated certificate is weak, you will need to generate a new one.

If the DataHub v11 tunneller rejects a certificate because its key is weak, you will see a message similar to this in the DataHub Event Log:

[2024-06-25 05:47:06.977] I: [TCP to TUN000 into domain]: 
SSL Certificate failure: 66: depth 0:  
EE certificate key too weak: 
/C=CA/ST=Ontario/L=Georgetown/O=Cogent Real-Time Systems Inc./OU=
Developers/CN=developers.cogentrts.com/[email protected] 

Look for the failure message, EE certificate key too weak.

If you cannot upgrade the certificate on a server for some reason, you can modify the configuration in the client to accept invalid certificates:

OPC UA connections are not affected by this change.